Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: SSH scanning from compromised mail servers - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SSH scanning from compromised mail servers

We received two reports about an increase in ssh scanning. One of them (thanks Quentin!) correlated the sources and found that based on reverse DNS lookups, 706 out of 824 sources appear to run mail servers.  We do not have any associated malware at this point, and the mail servers appear to run various SMTP daemons. If you observe a similar pattern, or better: if you mail server scans for port 22 tcp, please let us know.

 Denyhost, which monitors ssh brute force attacks, detected a remarkable uptick. We do not see an uptick in our data, but we only monitor firewall logs which would not detect connects to open ssh servers.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4478 Posts
ISC Handler
Apr 7th 2009
This has been very widespread, but \"low and slow\". It has also stopped in the last 25 minutes, almost exactly 24 hours after it began.

40 Posts
Got lots of ssh scan since some days on my box, but have \"fail2ban\" installed against it. Will try to use \"DenyHost\" instead to upload statistics too from my network (Neuf Telecom / SFR in France).


5 Posts
Just wanted to confirm that we are seeing this as well. A few of the IPs were mail servers, but many were not.
1 Posts
I have netflow data from my SP network that caught all this rogue traffic if ISC wants it. I specifically watch for SSH traffic destined for key points in our network that should never be accessed from the outside world. I generally catch between a dozen and 3-4 dozen each day. I caught 753 that between the 6th and 7th on traffic from just one of our upstreams. The scanning has not stopped either. It has only slowed slightly.

Sign Up for Free or Log In to start participating in the conversation!